My understanding is that Basic is essentially considered insecure. I'd be
surprised if modern browsers support it because it opens the way to a
man-in-the-middle downgrade attack. Hence I guess it's remained undefined
for so long because even if it was fixed, nobody should use it. I would be
surprised if the draft mentioned below got anywhere in the IETF.
HTH,
Pete Cordell
Codalogic Ltd
Interface XML to C++ the easy way using C++ XML
data binding to convert XSD schemas to C++ classes.
Visit http://codalogic.com/lmx/ or http://www.xml2cpp.com
for more info
----- Original Message -----
From: "David Lee" <dlee@calldei.com>
To: <xml-dev@lists.xml.org>
Sent: Sunday, January 29, 2012 7:53 PM
Subject: [xml-dev] RE: Encoding charset of HTTP Basic Authentication
> More study and I lucked on a spec
>
>
>
> http://tools.ietf.org/id/draft-reschke-basicauth-enc-00.html
>
>
>
> Seems a known and open problem (how long has this been in the wild ? How
> did
> it ever work ?)
>
> So follow-on question ...
>
>
>
> Does anyone know if this spec or anything like it has been adopted ?
>
> Or do we just all assume the world is "USASCII" as usual ?
>
>
>
>
>
>
>
>
>
> ----------------------------------------
>
> David A. Lee
>
> dlee@calldei.com
>
> http://www.xmlsh.org
>
>
>
> From: David Lee [mailto:dlee@calldei.com]
> Sent: Sunday, January 29, 2012 2:43 PM
> To: xml-dev@lists.xml.org
> Subject: Encoding charset of HTTP Basic Authentication
>
>
>
> I know this is not an "xml" question but maybe someone on this list knows
> or
> can point me to the right direction ?
>
>
>
> Is there a defined character set for the strings used in user/password in
> HTTP Basic Authentication ?
> I can't find any reference in the W3C specs
>
>
>
> http://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA
>
>
>
> It says its "Base64" encoded but that only makes sense on a byte array not
> a
> string.
>
> So what encoding/charset is the string assumed to be ?
> I found some apache software that lets you specify this ... but is there
> any
> 'standard' ?
>
>
>
> Example: if someone uses a password like "飯田西"
>
>
> What charset should be used to pass that to the base64 encoding ?
>
>
>
> ----------------------------------------
>
> David A. Lee
>
> dlee@calldei.com
>
> http://www.xmlsh.org
>
>
>
>